top of page


MeDISAO is an information sharing and analysis organization

what is an isao

What is an ISAO?

Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing - encourages the development of Information Sharing Analysis Organizations (ISAOs), to serve as focal points for cybersecurity information sharing. 

ISAO's are employed for the purpose of:

  • Gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems

  • Communicating or disclosing critical cyber and related information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems

  • Voluntarily disseminating critical cyber and related information to its members; federal, state, and local governments; or any other entities that may be of assistance in carrying out the purposes specified above

why join

Why should I join MedISAO?

MedISAO understands the regulatory, safety, and business needs of the medical device industry. Our analysis, best-practices and information sharing is targeted directly to small-to-medium sized medical device manufacturers and service providers. Our community is dedicated to sharing relevant information on best practices, new threats and vulnerabilities. Members of MedISAO get a head start in complying with cybersecurity guidances, real-time access to cybersecurity threats, tools and training from cybersecurity experts, and networking opportunities with other members. MedISAO member organizations can avoid costly reporting procedures (21 CFR 806) when cyber vulnerabilities are discovered in the field, as long as certain conditions are met.Member organizations can use MedISAO's Coordinated Vulnerability Disclosure process, which fulfills a key tenet of the FDA's Guidance on Postmarket Management of Cybersecurity in Medical Devices.


how much does it cost?

See our pricing page.

why sponsor
how protect

How does MedISAO protect confidential information?

Companies can avoid costly corrective action reporting requirements (21 CFR 806) by reporting vulnerabilities directly to MedISAO.  However, this may cause concern that MedISAO does not adequately protect confidential information of its members. 

Any member that shares information with MedISAO will specify the level of visibility of that information using a "Traffic Light Protocol", based on the familiar concepts of green/yellow/red:

  • White:  No limits on publication -- can be shared with general public or news organizations

  • Green:  Can be shared with other ISAOs and their members

  • Amber:  Can be shared with organizational members of MedISAO, only if they have signed a NDA

  • Red:  Cannot be shared at all

All confidential information is submitted on our secure webform and is stored in encrypted storage on our servers. 

Payment information is securely stored offsite via Stripe.

documented policies

What are MedISAO's documented policies?

report vulnerability

How do I report a vulnerability in a device?

MedISAO runs a Coordinated Vulnerability Disclosure Program free for our members.

Report a vulnerability, and we will share it securely with the affected member organization.

expected of members

What is expected of members?

  • There are no minimum participation requirements for members, but obviously we encourage all members, individual and organizational, to participate and contribute as much as possible. 

    Specifically, we encourage members to:

  • Submit any vulnerabilities to MedISAO through our Secure Vulnerability Disclosure form

  • Specify those vulnerabilities with as permissive level of visibility as possible, so the information can be useful to others

  • Take advantage of our Coordinated Vulnerability Disclosure Program, included free for all organizational members

  • Participate in the member discussion forums by asking questions and sharing their expertise

  • Read through our training materials and adopt best practices in their own organizations to make everyone safer

who is medisao

Who is MedISAO?

  • MedISAO does not publish a complete list of member organizations, but you can see a partial list of members on the home page.

  • MedISAO is organized by MedCrypt, Inc., a healthcare-first cybersecurity company.  

bottom of page